ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Movi Review-First Bundle

v1.0.0

Teach an agent to install Movi's local MCP server, stay review-first, and use the safest manifest and batch-analysis tools before deeper mutation.

0· 70·0 current·0 all-time
byYifeng[Terry] Yu@xiaojiou176

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xiaojiou176/movi-review-first-bundle.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Movi Review-First Bundle" (xiaojiou176/movi-review-first-bundle) from ClawHub.
Skill page: https://clawhub.ai/xiaojiou176/movi-review-first-bundle
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install movi-review-first-bundle

ClawHub CLI

Package manager switcher

npx clawhub@latest install movi-review-first-bundle
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description promise (install and run a local Movi MCP server and follow a review-first workflow) matches the included content: SKILL.md, INSTALL.md, demo, configs, and a canonical_repo pointing to a GitHub repo that contains the tooling. The manifests and reference files consistently describe local-first usage and explicitly avoid claiming hosted listings.
Instruction Scope
The runtime instructions direct the operator to clone the referenced GitHub repo and run repo-provided scripts (bash tooling/runtime/bootstrap_env.sh, npm run mcp:tools, etc.). These steps are coherent with installing a local toolchain but do allow arbitrary code execution from the cloned repository; the SKILL.md itself does not attempt to read unrelated system files or exfiltrate data. It also instructs replacing placeholder absolute paths before attaching the MCP server, which is a reasonable safety step but requires operator attention.
Install Mechanism
This is an instruction-only skill (no install spec). The packet instructs the host to git-clone a public repo (canonical_repo: xiaojiou176-open/movi-organizer) and run npm/bash scripts. Downloading and running remote repository code is expected for this purpose but carries the usual risk of executing external code; the package does not itself embed binary downloads from unknown hosts or use obscure URLs.
Credentials
The skill declares no required environment variables or credentials, which aligns with its local-first claim. However, the instructions implicitly require runtime tools (bash and Node/npm) and filesystem access to check out and run the repo; these binaries are not enumerated in the metadata. No unrelated cloud credentials or secrets are requested.
Persistence & Privilege
The skill is not always:true and does not request persistent privileges. It is user-invocable and can be invoked autonomously by the agent (platform default), but nothing in the packet requests elevated system configuration changes or modifies other skills' settings.
Assessment
This skill is internally coherent for installing and using a local Movi MCP review-first workflow, but it instructs you to clone and run code from the repository xiaojiou176-open/movi-organizer. Before you run any bootstrap or npm scripts: (1) inspect the repository contents and the specific scripts referenced (tooling/runtime/bootstrap_env.sh, tooling/gates/verify_repo_final.sh, run_mcp_stdio.sh, package.json scripts) to ensure they do not perform unwanted actions; (2) replace any placeholder absolute paths in the provided config snippets so they do not point to sensitive locations; (3) run the install steps in a sandboxed or least-privileged environment if possible (container/VM); (4) ensure your host has bash and Node/npm installed — add these as explicit prerequisites if you plan to rely on the skill; and (5) if you need higher assurance, request the repository owner provide a reproducible build artifact or a vetted release rather than running master branch scripts directly. Overall: coherent and plausible for its stated purpose but exercise normal caution when cloning and executing third-party repository scripts.

Like a lobster shell, security has layers — review code before you run it.

batchvk97d4de0f0m7vd1afppvpwpktd84gfw2latestvk97d4de0f0m7vd1afppvpwpktd84gfw2mcpvk97d4de0f0m7vd1afppvpwpktd84gfw2mediavk97d4de0f0m7vd1afppvpwpktd84gfw2movivk97d4de0f0m7vd1afppvpwpktd84gfw2review-firstvk97d4de0f0m7vd1afppvpwpktd84gfw2
70downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Yifeng[Terry] Yu@xiaojiou176
batchlatestmcpmediamovireview-first
Download

Movi Review-First Bundle

Teach the agent how to install, connect, and use Movi as a local-first review-first MCP workflow.

Use this skill when

  • the user wants to inspect one batch or review queue before executing anything
  • the host can run a local MCP server from a repo checkout
  • the operator wants a truthful packet that explains install, attach, proof, and safe-first usage without claiming a live listing

What this package teaches

  • how to wire Movi MCP into Codex, Claude Code, OpenHands, or OpenClaw
  • which Movi tools are safe first when the work must stay review-first
  • how to inspect jobs, manifests, and review rules before calling heavier mutation tools
  • how to keep listing claims honest while still proving the packet is real

Start here

  1. Read references/INSTALL.md
  2. Load the right host config from:
  3. Skim the tool surface in references/CAPABILITIES.md
  4. Run the first-success path in references/DEMO.md

Safe-first workflow

  1. jobs.list
  2. review_queue.get
  3. manifest.get
  4. analyze.create
  5. only then consider preview or patch-style actions such as:
    • manifest.patch_row
    • manifest.batch_patch
    • review_rule.preview

Suggested first prompt

Use Movi to inspect the current review-first workload. Start with jobs.list, review_queue.get, and manifest.get. Summarize which batch needs attention first. If the manifest looks stable, use analyze.create to produce one analysis artifact. Do not call manifest.patch_row, manifest.batch_patch, or review_rule.apply unless I explicitly ask for a patch or rule change.

Success checks

  • the host can launch the local Movi MCP server from the provided config
  • the packet proves one real job/review queue exists instead of describing an imaginary batch
  • the first analysis artifact is tied to a real manifest or job record

Boundaries

  • Movi stays a local-first review-first MCP workflow, not a hosted SaaS
  • this packet does not claim a live OpenHands or ClawHub listing
  • this packet does not bypass review-first -> dry-run -> execute

Local references

Comments

Loading comments...